fix: read-only scoped API keys cannot access MCP (outline#11875)

tommoor · web-flow · commit 45b2f6e2222d · 2026-03-26T00:15:28.000-04:00
diff --git a/server/models/ApiKey.test.ts b/server/models/ApiKey.test.ts
@@ -1,4 +1,5 @@
 import { randomString } from "@shared/random";
+import { Scope } from "@shared/types";
 import { buildApiKey } from "@server/test/factories";
 import ApiKey from "./ApiKey";
 
@@ -110,5 +111,23 @@ describe("#ApiKey", () => {
       expect(apiKey.canAccess("/api/documents.create")).toBe(false);
       expect(apiKey.canAccess("/api/collections.create")).toBe(false);
     });
+
+    it("should allow MCP access for scoped API keys", async () => {
+      const apiKey = await buildApiKey({
+        name: "Dev",
+        scope: [Scope.Read],
+      });
+
+      expect(apiKey.canAccess("/mcp")).toBe(true);
+      expect(apiKey.canAccess("/mcp/")).toBe(true);
+    });
+
+    it("should allow MCP access for unscoped API keys", async () => {
+      const apiKey = await buildApiKey({
+        name: "Dev",
+      });
+
+      expect(apiKey.canAccess("/mcp")).toBe(true);
+    });
   });
 });
diff --git a/server/models/ApiKey.ts b/server/models/ApiKey.ts
@@ -176,6 +176,12 @@ class ApiKey extends ParanoidModel<
       return true;
     }
 
+    // MCP endpoint access is allowed if the key has any valid scope.
+    // Fine-grained scope enforcement happens at the tool level.
+    if (path.startsWith("/mcp")) {
+      return this.scope.length > 0;
+    }
+
     return AuthenticationHelper.canAccess(path, this.scope);
   };
 }
diff --git a/server/models/oauth/OAuthAuthentication.test.ts b/server/models/oauth/OAuthAuthentication.test.ts
@@ -0,0 +1,48 @@
+import { Scope } from "@shared/types";
+import { buildOAuthAuthentication, buildUser } from "@server/test/factories";
+
+describe("OAuthAuthentication", () => {
+  describe("canAccess", () => {
+    it("should allow MCP access for scoped tokens", async () => {
+      const user = await buildUser();
+      const authentication = await buildOAuthAuthentication({
+        user,
+        scope: [Scope.Read],
+      });
+
+      expect(authentication.canAccess("/mcp")).toBe(true);
+      expect(authentication.canAccess("/mcp/")).toBe(true);
+    });
+
+    it("should deny MCP access for tokens with empty scope", async () => {
+      const user = await buildUser();
+      const authentication = await buildOAuthAuthentication({
+        user,
+        scope: [],
+      });
+
+      expect(authentication.canAccess("/mcp")).toBe(false);
+    });
+
+    it("should always allow the revoke endpoint", async () => {
+      const user = await buildUser();
+      const authentication = await buildOAuthAuthentication({
+        user,
+        scope: [Scope.Read],
+      });
+
+      expect(authentication.canAccess("/oauth/revoke")).toBe(true);
+    });
+
+    it("should check scopes for API paths", async () => {
+      const user = await buildUser();
+      const authentication = await buildOAuthAuthentication({
+        user,
+        scope: [Scope.Read],
+      });
+
+      expect(authentication.canAccess("/api/documents.list")).toBe(true);
+      expect(authentication.canAccess("/api/documents.update")).toBe(false);
+    });
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,12 @@ class ApiKey extends ParanoidModel<`
`176`	`176`	`return true;`
`177`	`177`	`}`
`178`	`178`
	`179`	`+ // MCP endpoint access is allowed if the key has any valid scope.`
	`180`	`+ // Fine-grained scope enforcement happens at the tool level.`
	`181`	`+ if (path.startsWith("/mcp")) {`
	`182`	`+ return this.scope.length > 0;`
	`183`	`+ }`
	`184`	`+`
`179`	`185`	`return AuthenticationHelper.canAccess(path, this.scope);`
`180`	`186`	`};`
`181`	`187`	`}`